Cisco IOS and IOS XE Multiple Vulnerabilities

Multiple vulnerabilities including authorization bypass, DoS, arbitrary code execution and such other critical vulnerabilities were observed in various Cisco IOS and IOS XE devices in September 2020. To this, Cisco published a collated report of all 34 vulnerabilities as an advisory – ERP-74268.

In its semi-annual report, published on Sept 24, 2020, Cisco released bundles of advisory to address Cisco IOS and IOS XE multiple vulnerabilities, which fall into High to Critical in severity.

List of CVEs and their corresponding vulnerabilities/products are listed in affected products.

Affected Products/Devices:

No.	CVE IDs	Affected Products/devices
1	CVE-2020-3511	Cisco IOS and IOS XE Software ISDN Q.931 Denial of Service Vulnerability
2	CVE-2020-3409	Cisco IOS and IOS XE Software PROFINET Denial of Service Vulnerability
3	CVE-2020-3512	Cisco IOS and IOS XE Software PROFINET Link Layer Discovery Protocol Denial of Service Vulnerability
4	CVE-2020-3408	Cisco IOS and IOS XE Software Split DNS Denial of Service Vulnerability
5	CVE-2020-3426	Cisco IOS Software for Cisco Industrial Routers Virtual-LPWA Unauthorized Access Vulnerability
6	CVE-2020-3417	Cisco IOS XE Software Arbitrary Code Execution Vulnerability
7	CVE-2020-3526	Cisco IOS XE Software Common Open Policy Service Engine Denial of Service Vulnerability
8	CVE-2020-3465	Cisco IOS XE Software Ethernet Frame Denial of Service Vulnerability
9	CVE-2020-3510	Cisco IOS XE Software for Catalyst 9200 Series Switches Umbrella Connector Denial of Service Vulnerability
10	CVE-2020-3492	Cisco IOS XE Software for Catalyst 9800 Series and Cisco AireOS Software for Cisco WLC Flexible NetFlow Version 9 Denial of Service Vulnerability
11	CVE-2020-3359	Cisco IOS XE Software for Catalyst 9800 Series Wireless Controllers Multicast DNS Denial of Service Vulnerability
12	CVE-2020-3414	Cisco IOS XE Software for Cisco 4461 Integrated Services Routers Denial of Service Vulnerability
13	CVE-2020-3508	Cisco IOS XE Software for Cisco ASR 1000 Series 20-Gbps Embedded Services Processor IP ARP Denial of Service Vulnerability
14	CVE-2020-3416 CVE-2020-3513	Cisco IOS XE Software for Cisco ASR 900 Series Route Switch Processor 3 Arbitrary Code Execution Vulnerabilities
15	CVE-2020-3509	Cisco IOS XE Software for Cisco cBR-8 Converged Broadband Routers DHCP Denial of Service Vulnerability
16	CVE-2020-3422	Cisco IOS XE Software IP Service Level Agreements Denial of Service Vulnerability
17	CVE-2020-3141 CVE-2020-3425	Cisco IOS XE Software Privilege Escalation Vulnerabilities
18	CVE-2020-3407	Cisco IOS XE Software RESTCONF and NETCONF-YANG Access Control List Denial of Service Vulnerability
19	CVE-2020-3400	Cisco IOS XE Software Web UI Authorization Bypass Vulnerability
20	CVE-2020-3421 CVE-2020-3480	Cisco IOS XE Software Zone-Based Firewall Denial of Service Vulnerabilities
21	CVE-2020-3486 CVE-2020-3487 CVE-2020-3488 CVE-2020-3489 CVE-2020-3493 CVE-2020-3494 CVE-2020-3497	Cisco IOS XE Wireless Controller Software for the Catalyst 9000 Family CAPWAP Denial of Service Vulnerabilities
22	CVE-2020-3399	Cisco IOS XE Wireless Controller Software for the Catalyst 9000 Family CAPWAP Denial of Service Vulnerability
23	CVE-2020-3390	Cisco IOS XE Wireless Controller Software for the Catalyst 9000 Family SNMP Trap Denial of Service Vulnerability
24	CVE-2020-3428	Cisco IOS XE Wireless Controller Software for the Catalyst 9000 Family WLAN Local Profiling Denial of Service Vulnerability
25	CVE-2020-3429	Cisco IOS XE Wireless Controller Software for the Catalyst 9000 Family WPA Denial of Service Vulnerability

Advisory

Cisco Event Response: September 2020 Semiannual Cisco IOS and IOS XE Software Security Advisory Bundled

Mitigations

To determine whether any of Cisco IOS or IOS XE software release is vulnerable, Cisco recommends using Cisco Software Checker. To mitigate the risk, Cisco advises to update the products/devices with the latest patches.

Workaround/Mitigation Detection

Qualys Policy Compliance customers can evaluate workaround based on following Controls

• • CVE-2020-3421 Cisco IOS XE Software Zone-Based Firewall Denial of Service  Vulnerabilities
    1. 19491 Status of the ‘one-minute high’ within the ‘parameter-map type inspect’ global configuration
    2. 19492 Status of the ‘log dropped-packets’ within the ‘parameter-map type inspect’ global configuration
• • CVE-2020-3407 Cisco IOS XE Software RESTCONF and NETCONF-YANG Access Control List Denial of Service Vulnerability
    1. 19482 Status of the ‘number of ipv4 ACL count’ for ‘restconf ipv4 access-list name’ config command
    2. 19483 Status of the ‘number of ipv6 ACL count’ for ‘restconf ipv6 access-list name’ ACL count config command
    3. 19484 Status of the ‘number of ipv4 ACL count’ for ‘netconf-yang ssh ipv4 access-list name’ ACL count config command
    4. 19485 Status of the ‘number of ipv6 ACL count’ for ‘netconf-yang ssh ipv6 access-list name’ ACL count config command
• • CVE-2020-3422 Cisco IOS XE Software IP Service Level Agreements Denial of Service Vulnerability
    1. 19489 Status of the ‘ip sla key-chain’ global command configuration
    2. 19490 Status of the ‘ip sla responder’ global command configuration
• • CVE-2020-3508 Cisco IOS XE Software for Cisco ASR 1000 Series 20-Gbps Embedded Services Processor IP ARP Denial of Service Vulnerability
    1. 19488 Status of the ‘arp entries interface-limit’ global configuration command

• • CVE-2020-3510 Cisco IOS XE Software for Catalyst 9200 Series Switches Umbrella Connector Denial of Service Vulnerability
    1. 19486 List of the interfaces where the ‘umbrella out’ feature is enabled on the device (interfaces)
    2. 19487 List of the interfaces where the ‘umbrella in’ feature is enabled on the device (interfaces)

Qualys Detection

Qualys customers can scan their network with QIDs 316712, 316713, 316714, 316715 and 316716 to detect vulnerable assets.

Please continue to follow Qualys Threat Protection for more coverage on latest vulnerabilities.

References
https://tools.cisco.com/security/center/viewErp.x?alertId=ERP-74268

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxe-isdn-q931-dos-67eUZBTf

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-profinet-J9QMCHPB

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ios-profinet-dos-65qYG3W5

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-splitdns-SPWqpdGW

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ios-lpwa-access-cXsD7PRA

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-xbace-OnCEbyS

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-COPS-VLD-MpbTvGEW

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-le-drTOB625

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxe-umbrella-dos-t2QMUX37

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxe-wlc-fnfv9-EvrAQpNX

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-mdns-dos-3tH6cA9J

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ISR4461-gKKUROhx

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-esp20-arp-dos-GvHVggqJ

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxe-rsp3-rce-jVHg8Z7c

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxe-dhcp-dos-JSCKX43h

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ipsla-jw2DJmSv

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ios-webui-priv-esc-K8zvEWM

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-confacl-HbPtfSuO

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-webui-auth-bypass-6j2BYUc7

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-zbfw-94ckG4G

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-capwap-dos-TPdNTdyq

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-capwap-dos-ShFzXf

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxe-ewlc-snmp-dos-wNkedg9K

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-dclass-dos-VKh9D8k3

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-wpa-dos-cXshjerc